Data protection by design and default – a tale of two business models

The concept of data protection by design and default (DPDD), where properly embraced, should save time and money in the long run. By addressing privacy requirements early, most organisations can reduce the delays and adaptation costs that arise from dealing with compliance as an afterthought. More than that, it is now a requirement under the GDPR.

Learning to factor privacy into the development process is tricky and may require a lot of buy in from around the business. Our clients all have their own unique challenges to tackle when trying to embed a pro-privacy culture across their organisations. Here are a few of the common issues faced by two different types of business.

The established business

Getting buy-in

Most established businesses have set ways of doing things and change does not always come easily. DPDD often requires a fundamental shift in thinking and for it to be successful, support from across the organisation is essential. It's not just design-focused teams which need to embrace the new approach, all levels of management need to accept it too and ensure that any pressure to cut corners is resisted.

DPDD is likely to result in some additional upfront bureaucracy, in the form of Data Privacy Impact Assessments and transparency records. It is essential that managers incentivise their teams to invest time in record keeping early on in any design or development process, rather than making it easier to skip this crucial process.

One of the great benefits of operating an established business is that over the years it becomes less necessary to develop new processes and tried and tested approaches to everything from product design to HR procedures can be adopted, tweaked and refreshed, safe in the knowledge that they have worked well in the past. The downside to this approach is that few of these tried and tested processes will have privacy as a core aim; privacy will often be considered only at a later stage of development or testing.

Shifting the focus to privacy from the beginning and throughout may involve significant changes to embedded procedures, team structures, funding and the technology used. It is essential to have the workforce on side but nothing should be sacred if it impedes the embrace of DPDD.

Managing competing priorities – international differences

One of the biggest challenges for international organisations is the management of competing priorities across multiple jurisdictions. In the UK/EU, DPDD has shifted, from best practice to an essential requirement, but other regions take different approaches to the culture of privacy. Speed of service and comprehensive personalisation may be more desirable to non-EU customers or at least more encouraged by the regimes of their countries.

Some companies may choose to tailor their product or service to the jurisdiction of their customers, but adopting lower privacy standards for products which don't have GDPR-level requirements is not necessarily productive in the long term. It is likely to add to product development and manufacture costs and potential reputational issues. Uniformity of design is expected by a well-travelled customer base and adopting privacy standards that may currently exceed those of non-EU countries is likely to be the best approach in a world that is growing increasingly aware of data privacy issues.

Managing partners

The larger and more established an organisation, the more complex and ingrained its data flows will be. It is also likely that many partner organisations will have access to personal data, both as controllers and processors. Since it is essential to ensure that data will be secure and appropriately used prior to making any transfer, DPDD may require a significant due diligence process as well as a regular need to audit processors in particular.

For smaller businesses and start-ups, this may not be too onerous, but for an international business working with suppliers and partners all over the world it could be a costly and extremely time consuming obligation.

The startup

Slowing down the development process

Product and service line development can often take place at a breakneck speed within a startup environment. A combination of enthusiasm, investor pressure and limited resources can make tight deadlines a necessity. Trying to factor privacy requirements into the mix can feel like a distraction from the end goal.

However, startup and smaller companies have the advantage of a fresh start in the development process. Without established practices it is much easier to embrace privacy from the very beginning, potentially creating a competitive advantage with less flexible competitors, particularly where strong privacy features can be used as a selling point for customers.

Factoring in the cost of privacy

Alongside possible delays in the development process, smaller organisations have to factor in the cost of meeting privacy requirements. In many cases this will be the cost of legal advice in reviewing techniques and preparing policies and procedures. The most privacy-friendly solutions may not be the cheapest with additional technical requirements and safeguards needed to ensure security of data; it can seem tempting to cut corners in the early stages.

While the costs of taking privacy seriously should be proportionate in the context of the business and the intended processing activities, it is important to remember that a failure to invest in the early stages may lead to much bigger financial liabilities and legal risks in the long run.

Developing expertise

Because privacy affects virtually every area of modern business, the need to ensure that adequate expertise is available across the company may seem virtually impossible. This can be dealt with in part by ensuring suppliers and partners have their own expertise on which the startup can draw. This may mean requiring freelance product engineers or HR consultants to be familiar with the concept of DPDD and training them where necessary.

Smaller companies do have the opportunity to make sure that all employees are trained and supported in their privacy obligations in a way that can be much more logistically challenging for big companies, but sourcing specialist, in-depth support may be much harder for smaller businesses. Even a small business that is processing large amounts of special data or engaged in monitoring or profiling of customers will need a Data Protection Officer (DPO). It is essential that the DPO, if internal, is able to access an adequate level of support and training to fulfil their duties. The DPO should also have a direct line of report to the most senior level of the company – it is not a position for a junior employee.

It is possible to outsource the DPO role to a professional and this may work well for a startup that has to appoint one. However, it is essential that the DPO has sufficient knowledge of and access to the business and their appointment should be regularly reassessed to ensure it is meeting the needs of the company.